Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 379739

Summary: <www-apps/mantisbt-1.2.7 Cross-Site Scripting Vulnerability (CVE-2011-2938)
Product: Gentoo Security Reporter: David Hicks <david>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: pva, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.mantisbt.org/bugs/view.php?id=13245
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description David Hicks 2011-08-18 15:34:15 UTC 
Original vulnerability report by Net.Edit0r (Net.Edit0r@Att.net) from BlACK Hat Group [http://black-hg.org] is available at:
http://packetstormsecurity.org/files/104149

MantisBT bug report for full details of the issue: http://www.mantisbt.org/bugs/view.php?id=13245

Please note that the second SQL injection vulnerability identified by Net.Edit0r is not reproducible (refer to the MantisBT bug report above for reasons why).

A patch for 1.2.6 is available at:
https://github.com/mantisbt/mantisbt/commit/317f3db3a3c68775de3acf3b15f55b1e3c18f93b

MantisBT 1.2.7 is currently being packaged and will be available shortly through usual channels for distributions and standalone users to pick up.

Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2011-08-18 16:46:06 UTC 
1.2.7 Is not still out, but the vulnerability is fixed in git repository.

@Peter, Please choise if you want add directly 1.2.7, or patch 1.2.6.
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2011-08-25 06:19:38 UTC 
1.2.7 that fixes this issue is in the tree. Arch teams, please, stabilize.
Comment 3 Agostino Sarubbo gentoo-dev 2011-08-25 17:35:29 UTC 
amd64 ok
Comment 4 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-08-25 17:49:17 UTC 
ppc keywords dropped
Comment 5 Thomas Kahle (RETIRED) gentoo-dev 2011-08-26 11:04:32 UTC 
x86 stable. Thanks
Comment 6 Tony Vroon (RETIRED) gentoo-dev 2011-08-26 11:11:54 UTC 
+  26 Aug 2011; Tony Vroon <chainsaw@gentoo.org> mantisbt-1.2.7.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in
+  security bug #379739 filed by David Hicks.

Arches done, ready for GLSA voting.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-08-26 11:59:33 UTC 
Closing noglsa.